cbcvebase.

Nagios Xi vulnerabilities

192 known vulnerabilities affecting nagios/nagios_xi.

Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94

Vulnerabilities

Page 4 of 10
CVE-2023-40933P3HIGHCVSS 8.8fixed in 5.11.22023-09-19
CVE-2023-40933 [HIGH] CWE-89 CVE-2023-40933: A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with ann A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
nvd
CVE-2024-13996P3CRITICALCVSS 9.8fixed in 2024v20242025-10-30
CVE-2024-13996 [CRITICAL] CWE-613 CVE-2024-13996: Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access
nvd
CVE-2016-15050P3HIGHCVSS 8.8fixed in 5.2.42025-10-30
CVE-2016-15050 [HIGH] CWE-89 CVE-2016-15050: Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search f Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notificat
nvd
CVE-2020-36859P3HIGHCVSS 8.8fixed in 5.7.42025-10-30
CVE-2020-36859 [HIGH] CWE-89 CVE-2020-36859: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains mu The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lea
nvd
CVE-2020-28900P3CRITICALCVSS 9.8≤ 5.7.52021-05-24
CVE-2020-28900 [CRITICAL] CWE-345 CVE-2020-28900: Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7. Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
nvd
CVE-2024-33775P3CRITICALCVSS 9.8v20242024-05-01
CVE-2024-33775 [CRITICAL] CWE-269 CVE-2024-33775: An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.
nvd
CVE-2020-15903P3CRITICALCVSS 9.8fixed in 5.7.32020-09-09
CVE-2020-15903 [CRITICAL] CVE-2020-15903: An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backe An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
nvd
CVE-2024-14004P3HIGHCVSS 8.8fixed in 2024v20242025-10-30
CVE-2024-14004 [HIGH] CWE-269 CVE-2024-14004: Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration data or leverage insufficiently validated configuration settings to obtain elevated privileges on the Nagios XI system.
nvd
CVE-2025-67255P3HIGHCVSS 8.8v20262025-12-29
CVE-2025-67255 [HIGH] CWE-89 CVE-2025-67255: In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any au In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.
nvd
CVE-2022-38250P3CRITICALCVSS 9.8v5.8.62022-09-07
CVE-2022-38250 [CRITICAL] CWE-89 CVE-2022-38250: Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.
nvd
CVE-2020-28906P3HIGHCVSS 8.8≤ 5.7.52021-05-24
CVE-2020-28906 [HIGH] CWE-276 CVE-2020-28906: Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.
nvd
CVE-2025-34286P3HIGHCVSS 7.2fixed in 20262025-10-30
CVE-2025-34286 [HIGH] CWE-78 CVE-2025-34286: Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in ar
nvd
CVE-2021-47693P3HIGHCVSS 8.8fixed in 5.8.52025-10-30
CVE-2021-47693 [HIGH] CWE-89 CVE-2021-47693: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to un
nvd
CVE-2020-27988P3MEDIUMCVSS 5.4fixed in 5.7.52020-11-16
CVE-2020-27988 [MEDIUM] CWE-79 CVE-2020-27988: Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).
nvd
CVE-2025-34134P3HIGHCVSS 7.2fixed in 2024v20242025-10-30
CVE-2025-34134 [HIGH] CWE-78 CVE-2025-34134: Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfile and bpi_configfile) allow an authenticated administrative user to cause the product to create or
nvd
CVE-2020-36857P3HIGHCVSS 7.2fixed in 5.6.142025-10-30
CVE-2020-36857 [HIGH] CWE-89 CVE-2020-36857: Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead t
nvd
CVE-2024-14008P3HIGHCVSS 7.2fixed in 2024v20242025-10-30
CVE-2024-14008 [HIGH] CWE-78 CVE-2024-14008: Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution
nvd
CVE-2012-10063P3CRITICALCVSS 9.8≤ 2011v20122025-10-30
CVE-2012-10063 [CRITICAL] CWE-89 CVE-2012-10063: Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Config Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation cou
nvd
CVE-2020-22427P3HIGHCVSS 7.2v5.6.112021-02-15
CVE-2020-22427 [HIGH] CVE-2020-22427: NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosa NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and the only option is to pay for a subscription service where technical details may
nvd
CVE-2020-28910P3CRITICALCVSS 9.8≤ 5.7.52021-05-24
CVE-2020-28910 [CRITICAL] CWE-732 CVE-2020-28910: Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows fo Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
nvd
Nagios Xi vulnerabilities | cvebase